[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why Not to use PGP 5.0
On Sun, 24 Aug 1997, Damaged Justice wrote:
>
> http://www.shub-internet.org/why_not_pgp_5.html
>
It sounds like a collection of gripes, some apply to the unix, but if that
works, it talks about the windows or mac version.
Some thoughts:
1-5 The scanned source generates RSA keys. The old version generates RSA
keys so keep it around.
8-10 - then I am currently doing the impossible... If they released it as
a "non-beta", the gripe would be that they should have kept it beta until
the very last problem is fixed.
11 - I linked with rsaref on both an intel and alpha linux. Lazyness or
stupidity on the part of the user is not a problem with PGP. And where do
you get a commercial unix version of 2.6.2? Or even the freeware - if
they aren't going to bother with RSAref with 5.0, they won't with 2.6.
And with RSAref properly configured, RSA keysize is limited.
12 - I found one problem with the alpha, and it was trivial to fix.
25 - /dev/random or other generation methods. I notice that pgpv hangs if
there is no randseed.bin until I hit a few keys (it needs to be
/dev/urandom in many cases). When the system has a random number
generator, why do your own?
26 - There is no problem with DH the way PGP is using it. There are also
attacks against RSA, which PGP tries to avoid. If you have found a real
problem, identify it, otherwise you can worry as much about RSA as DH
Also, it will accept RSA/SHA1, but won't generate them because - horrors -
that would not be compatible with the older versions and there would be
more gripes because of that.
28 - they have -c in the unix version. It only does 2.6 compatible
encryption.
16 - They don't document the hkp, but it seems to be just the response to
the form of a standard keyserver, so my http style scripts work. All
keyservers still used that wierd port number, so everyone had to enable it
in their firewalls.
Some comments with merit:
Keyservers - if pgp.com has a working one for 5.0, they should propogate
the source.
Options - There are entries to change the conventional cipher and hash,
but these are ignored. pgpv accepts all, but pgpe cannot generate all,
but many of these are to be "standard" or backward compatible, and that
would cause more gripes. And if an option was not fully tested, or
available in all versions, it would be good for another gripe point.
But the source is available. If you don't like something, then fix it
instead of complaining.
--- reply to tzeruch - at - ceddec - dot - com ---